3.0.6-rc1 (2013-08-08)

Overview

Details

Security: Require ADMIN for ?flush=1

Flushing the various manifests (class, template, config) is performed through a GET
parameter (flush=1). Since this action requires more server resources than normal requests,
it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value)
but only through web requests made through main.php - CLI requests, or any other request that goes through
a custom start up script will still process all flush requests as normal.

Thanks to Christopher Tombleson for reporting.

Upgrading

If you have created your own composite database fields, then you should amend the setValue() to allow the passing of
an object (usually DataObject) as well as an array.

If you have provided your own startup scripts (ones that include core/Core.php) that can be accessed via a web
request, you should ensure that you limit use of the flush parameter

Translation entity namespaces can no longer contain dots, since it conflicts with the YAML format.

Translation entities defined in templates now use their fully qualified entity name without dots.
Before: BackLink_Button.ss.Back, after BackLink_Button_ss.Back. Please fix any custom language
files or uses of those entities in custom code.

If using "Māori/Te Reo" (mi_NZ) as your CMS locale, please re-select it in admin/myprofile
to ensure correct operation (it has changed its locale identifier)

Features and Enhancements

2013-04-21 eb583c5 Added DataObject::getQueriedDatabaseFields() as faster alternative to toMap() API: CompositeDBField::setValue() may be passed an object as its second argument, in addition to array. (Sam Minnee)